计算机应用 ›› 2018, Vol. 38 ›› Issue (10): 2934-2939.DOI: 10.11772/j.issn.1001-9081.2018030617

• 网络空间安全 • 上一篇    下一篇

新的低轮Keccak线性结构设计

刘晓强1,2, 韦永壮2,3, 刘争红1   

  1. 1. 广西密码学与信息安全重点实验室(桂林电子科技大学), 广西 桂林 541004;
    2. 广西无线宽带通信与信号处理重点实验室(桂林电子科技大学), 广西 桂林 541004;
    3. 广西高校云计算与复杂系统重点实验室(桂林电子科技大学), 广西 桂林 541004
  • 收稿日期:2018-03-26 修回日期:2018-04-29 出版日期:2018-10-10 发布日期:2018-10-13
  • 通讯作者: 韦永壮
  • 作者简介:刘晓强(1993-),男,山西大同人,硕士研究生,主要研究方向:对称密码算法分析;韦永壮(1976-),男,广西田阳人,教授,博士,主要研究方向:对称密码算法设计与分析;刘争红(1979-),男,湖北红安人,讲师,硕士,主要研究方向:无线宽带通信、FPGA、GPU并行运算。
  • 基金资助:
    国家自然科学基金资助项目(61572148);广西无线宽带通信与信号处理重点实验室2016年主任基金资助项目(GXKL06160112)。

New design of linear structure for round-reduced Keccak

LIU Xiaoqiang1,2, WEI Yongzhuang2,3, LIU Zhenghong1   

  1. 1. Guangxi Key Laboratory of Cryptography and Information Security(Guilin University of Electronic Technology), Guilin Guangxi 541004, China;
    2. Guangxi Key Laboratory of Wirekess Wideband Communication and Signal Processing(Guilin University of Electronic Technology), Guilin Guangxi 541004, China;
    3. Guangxi Colleges and Universities Key Laboratory of Cloud Computing and Complex Systems(Guilin University of Electronic Technology), Guilin Guangxi 541004, China
  • Received:2018-03-26 Revised:2018-04-29 Online:2018-10-10 Published:2018-10-13
  • Supported by:
    This work is partially supported by the National Natural Science Foundation of China (61572148), the Project of Guangxi Key Laboratory of Wireless Wideband Communication and Signal Processing (GXKL06160112).

摘要: 针对Keccak算法S盒层线性分解的问题,提出一种新的线性结构构造方法,该方法主要基于Keccak算法S盒代数性质。首先,S盒层的输入比特需要固定部分约束条件,以确保状态数据经过这种线性结构仍具有线性关系;然后再结合中间相遇攻击的思想给出新的低轮Keccak算法零和区分器的构造方法。实验结果表明:新的顺1轮、逆1轮零和区分器可以完成目前理论上最好的15轮Keccak的区分攻击,且复杂度降低至2257;新的顺1轮、逆2轮零和区分器具有自由变量更多、区分攻击的组合方式更丰富等优点。

关键词: SHA-3, Hash算法, 中间相遇, 零和区分器, 线性结构

Abstract: Focusing on the linear decomposition of the S-box layer in Keccak algorithm, a new linear structure construction method was proposed based on the algebraic properties of the S-box. Firstly, to ensure the state data was still linear with that after this linear structure, some constraints about input bits of S-box needed to be fixed. Then, as an application of this technique, some new zero-sum distinguishers of round-reduced Keccak were constructed by combining the idea of meet-in-the-middle attack. The results show that a new 15-round distinguisher of Keccak is found, which extends 1-round forward and 1-round backward. This work is consistent with the best known ones and its complexity is reduced to 2257. The new distinguisher, which extends 1-round forward and 2-round backward, has the advantages of more free variables and richer distinging attack combinations.

Key words: Secure Hash Algorithm 3 (SHA-3), Hash algorithm, meet-in-the-middle, zero-sum distinguisher, linear structure

中图分类号: